Cyber challenge: Securing private-sector IT with a minimum of regulation

By William Jackson

Jun 24, 2011

Legislators are struggling with the extent of the role government should play in protecting private-sector information infrastructure, seeking a sweet spot between laissez-faire and federal regulation. Arguments for and against the administration’s proposal for comprehensive cybersecurity legislation were heard during a June 24 hearing.

A financial industry representative supported the president’s proposal, which would establish best-practice requirements for critical infrastructure.

“Given that our member institutions operate nationally, are highly interdependent with other industries, and are already closely supervised by multiple regulators, we appreciate that this proposal promotes uniform national standards, throughout the cyber ecosystem, with the active engagement of sector-specific agencies and sector regulators,” Leigh Williams, of the Financial Services Roundtable, told the House Homeland Security Subcommittee on Cybersecurity.

But the head of the Internet Security Alliance trade organization warned that the proposal would fundamentally alter the existing partnership between government and industry and said it is at odds with president’s promise not to dictate security standards for government.

“After waiting two years for the administration to follow up on its Cyberspace Policy Review, we received a legislative proposal produced without coordination with the private-sector partnership the administration itself had established for this purpose,” said ISA president Larry Clinton.

Clinton favored an incentives-based approach that would encourage companies to invest in cybersecurity “because they want to, not because we’re making them.”

Representatives were uniformly cautious about the prospect of regulating private-sector cybersecurity, but also questioned if it would be possible to adequately secure the nation’s critical infrastructure with a voluntary opt-in approach.

Subcommittee Chairman Rep. Dan Lungren (R-Calif.) said that some congressional action would be needed to establish incentives desired by businesses, such as safe harbors for shared critical information and improved cybersecurity insurance.

President Obama last month released the legislative proposal, which would put the Homeland Security Department in charge of the security of federal IT systems but give it only limited authority to oversee the security of privately owned critical infrastructure. It also creates a regulatory framework for non-government critical infrastructure that requires owners and operators to develop security plans.

Administration officials characterized the proposal as a starting point for discussions with Congress and industry, a view shared by Lungren.

“The proposal is not the end of an effort, but the beginning of a much needed debate over how we will address these dynamic threats,” he said. “The status quo is not acceptable.”

Congress has not suffered from a lack of cybersecurity bills. The 111th Congress considered more than 50 pieces of cybersecurity legislation, said Melissa Hathaway, who led the president’s 60-day Cyberspace Policy Review. In the current session at least 10 pieces of cybersecurity legislation have been introduced in the Senate and at least another nine in the House of Representatives. But none of them have been complete, Hathaway said.

“Like many of the bills of the 111th Congress, the bills in the 112th address niches of the cybersecurity problems facing the nation; even if taken together, none of them address the situation in a comprehensive manner,” she said. She said the president’s proposal represents a broad inter-agency consensus, but conceded that it was not created in collaboration with industry. She said any final bill would have to be created in collaboration with Congress and with private-sector input.

Clinton said that the current proposal focuses too much on mandating security requirements and that the emphasis on breach disclosure creates an incentive for businesses to hide or ignore problems. He added that available security technology is not being implemented because of cost and that cybersecurity should be treated as a business problem.

“Some have suggested that the market has failed to produce the needed technology to address the cyber threat,” he said. “That is not the case. The fact is that many companies don’t see an adequate ROI to cyber investments.” Clinton said government’s role in the process should be to help create and define the return on investment.

“To accommodate the needs of a wide variety of critical infrastructures with different economic models, the public-private partnership should develop a menu of incentives that can be tied to voluntary adoption of widely accepted and proven successful security best practices, standards, and technologies,” he said.

One point on which everyone agreed was the need for a national data breach notification law to replace the current patchwork of 47 state laws. Williams said the states had provided a valuable laboratory for developing breach notification requirements, but that the laws have matured and it is time for federal action.

“Now we are ready for a national model,” Williams said. “We would like to see some uniformity at the national level.”